Skip to content

chore(deps): patches dompurify for CVE-2026-41240#5035

Open
alizard0 wants to merge 3 commits into
redhat-developer:release-1.9from
alizard0:RHIDP-13315-1
Open

chore(deps): patches dompurify for CVE-2026-41240#5035
alizard0 wants to merge 3 commits into
redhat-developer:release-1.9from
alizard0:RHIDP-13315-1

Conversation

@alizard0

@alizard0 alizard0 commented Jun 30, 2026

Copy link
Copy Markdown
Member

Fixes CVE-2026-41240 by patching dompurify to 3.40 or higher using surgeon.
https://redhat.atlassian.net/browse/RHIDP-13315

Upstream work: microsoft/vscode#318354 and microsoft/vscode#320010

CVE-2026-41240 dompurify
  patch: 3.4.0
  affected: < 3.4.0
root@1.9.6 /Users/alizardo/Documents/engineering/github/rhdh
└─┬ app@1.0.1 -> ./packages/app
  └─┬ @backstage/plugin-api-docs@0.13.1
    ├─┬ @asyncapi/react-component@2.6.3
    │ └─┬ isomorphic-dompurify@2.22.0
    │   └── dompurify@3.2.6 deduped
    └─┬ swagger-ui-react@5.30.3
      └── dompurify@3.2.6
Upgrading dependency with yarn-lockfile-surgeon → dompurify@3.4.0 ...
root@1.9.6 /Users/alizardo/Documents/engineering/github/rhdh
└─┬ app@1.0.1 -> ./packages/app
  └─┬ @backstage/plugin-api-docs@0.13.1
    ├─┬ @asyncapi/react-component@2.6.3
    │ └─┬ isomorphic-dompurify@2.22.0
    │   └── dompurify@3.4.0
    └─┬ swagger-ui-react@5.30.3
      └── dompurify@3.2.6

CVE-2026-41240 dompurify
  patch: 3.4.0
  affected: < 3.4.0
dynamic-plugins-root@1.9.6 /Users/alizardo/Documents/engineering/github/rhdh/dynamic-plugins
├─┬ backstage-plugin-techdocs@1.16.0 -> ./wrappers/backstage-plugin-techdocs
│ └─┬ @backstage/plugin-techdocs@1.16.0
│   └── dompurify@3.3.1
└─┬ red-hat-developer-hub-backstage-plugin-extensions@0.14.3 -> ./wrappers/red-hat-developer-hub-backstage-plugin-extensions
  └─┬ @red-hat-developer-hub/backstage-plugin-extensions@0.14.4
    └─┬ monaco-editor@0.55.1
      └── dompurify@3.2.7
Upgrading dependency with yarn-lockfile-surgeon → dompurify@3.4.0 ...
dynamic-plugins-root@1.9.6 /Users/alizardo/Documents/engineering/github/rhdh/dynamic-plugins
├─┬ backstage-plugin-techdocs@1.16.0 -> ./wrappers/backstage-plugin-techdocs
│ └─┬ @backstage/plugin-techdocs@1.16.0
│   └── dompurify@3.4.0
└─┬ red-hat-developer-hub-backstage-plugin-extensions@0.14.3 -> ./wrappers/red-hat-developer-hub-backstage-plugin-extensions
  └─┬ @red-hat-developer-hub/backstage-plugin-extensions@0.14.4
    └─┬ monaco-editor@0.55.1
      └── dompurify@3.2.7

@github-actions

Copy link
Copy Markdown
Contributor

Image was built and published successfully. It is available at:

Comment thread yarn.lock Outdated
linkType: hard

"dompurify@npm:=3.2.6, dompurify@npm:^3.2.4":
"dompurify@npm:=3.2.6":

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still pinned. Can we update it?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated.

@alizard0

alizard0 commented Jul 3, 2026

Copy link
Copy Markdown
Member Author

Dompurify is a false-positive:

  1. In monaco-editor, dompurify is bundled directly into the source code at build time, it appears in the package.json only for dependency tracking.
  2. Monaco-editor does not use the speicifc vulnerable code paths or APIs reported by this CVE.
  3. There is an upstream fix already merged into VSCode codebase which will be propagated soon to monaco-editor-core.
  4. No seucirty risk to rhdh

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

The container image build and publish workflows were skipped (either due to [skip-build] tag or no relevant changes with existing image).

@sonarqubecloud

sonarqubecloud Bot commented Jul 3, 2026

Copy link
Copy Markdown

@alizard0 alizard0 requested a review from kim-tsao July 3, 2026 13:21
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown

@alizard0: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-ocp-helm fc168cb link true /test e2e-ocp-helm

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants